Skip to main content Skip to complementary content
Qlik Resources

Configuring NodeGraph with SSL/TLS

To enable SSL on your NodeGraph instance, you must first have a certificate to bind to the NodeGraph service port.

Creating a self-signed certificate

If you do not have a root certificate, you can create one for your local machine. These should only be used in verification of your setup, on any Production machine it is recommended to have a root trusted certificate.

Using Powershell :
> $cert = New-SelfSignedCertificate -certstorelocation cert:
\localmachine\my -dnsname machine.domain.com
> $pwd = ConvertTo-SecureString -String 'PassW0rd' -Force -AsPlainText ## do not use PassW0rd as password
> $path = 'cert:\localmachine\my\' + $cert.thumbprint
> Export-PfxCertificate -cert $path -FilePath C:\temp\localcert.pfx -Password $pwd

You can also print the$cert.thumbprint to screen as you will need this momentarily.

Information noteConsult your IT department for questions regarding certificates.

Start by stopping the NodeGraph service.

Run the following command to reserve your NodeGraph port (change 4114 to desired port)

Using Console/Powershell :

> netsh http add urlacl url = https://*:4114/ user=EVERYONE
URL reservation successfully added

Get the thumbprint from your certificate and bind the certificate to the desired port (make sure to change to your values below).

Using Console/Powershell :

> netsh http add sslcert ipport = 0.0.0.0:4114 appid ='{c85b917f-b2c1-4112-8fbd-a1411dc228a3}' certhash = 4c2b5975777ae43fdbede07773510ebe94d674d4
SSL Certificate successfully added
Information noteThe appid can be any valid GUID. It can be used to enforce increased security, making sure that the application devoted to the port and certificate is the only app using this binding. It needs to be activated separately.
Search “generate GUID” in your Search Engine of choice.
We defer to Microsoft Support on how to achieve this.

Getting the NodeGraph AppId

To get the appID of your NodeGraph installation.

Using Powershell :

> Get-AppLockerFileInformation -Path "C:\Program Files\NodeGraph\NodeGraphServer.exe

"RunspaceId : c85b917f-b2c1-4112-8fbd-a1411dc228a3
Path : %PROGRAMFILES%\NODEGRAPH\NODEGRAPHSERVER.EXE
Publisher :
Hash : SHA256 0x96A4B93EDA58686DB37EDCBC06068176F1336A2E0F183BCC9E2DB8BC472C2C6F
AppX : False

In the located in the NodeGraphServer.exe installation folder, change the following attribute.

config<add key="Port" value="4114" /><add key="UseTLS" value="true" />
Information noteThis configuration file is overwritten on a new install / upgrade. Make sure to document this and/or create a backup prior to any software changes.

If we start the service again, Nodegraph will now operate on HTTPS instead.

You will be met by this page as long as you have a self-signed cert (or until you whitelist the server).

NodeGraph with self-signed SSL/TLS certificate

A "Your connection isn't private" warning message on localhost 4114.

This is expected and part of the validation process of the trust-chain of certificates (not a NG issue).

Press Advanced > Proceed to <url> (unsafe) to circumvent.

Troubleshooting

I had TLS, but after upgrade my URL wont work?

Your settings are overwritten in the NodeGraphServer.exe.config. See above for restoring these values.

Most browsers today hide the protocol prefix of URLs. Even if you have entered https, the icon in Chrome will not indicate this if there are no services listening on the other side.

It will say secure/insecure (but acknowledging https) if the service is listening.

My settings in NodeGraphServer.exe.config was overwritten, can I find out what I once had?

Yes. If you still have log files of NodeGraph under (default) ProgramData\NodeGraph\logs, you can figure out your settings. In nodegraphsever_YYYY-MM-DD-HH-mm-ss.log , search for

... Server running at ...

In my logfile, I have the following info

2020-09-09 09:01:02.5271 NodeGraph INFO Server running at https://*:4141.

By this, I can deduce i had the following parameters

<add key="Host" value="*" /> <!-- Corresponds to * -->
<add key="Port" value="4141" /> <!-- Corresponds to :4141 -->
<add key="UseTLS" value="true" /> <!-- Corresponds to http/https:// -->

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here